The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
References
Link | Resource |
---|---|
https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/ | Exploit Third Party Advisory |
https://wpml.org/ | Product |
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve | Third Party Advisory |
Configurations
History
27 Sep 2024, 13:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/ - Exploit, Third Party Advisory | |
References | () https://wpml.org/ - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve - Third Party Advisory | |
CPE | cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Wpml
Wpml wpml |
|
CWE | CWE-94 |
22 Aug 2024, 12:48
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Aug 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-21 21:15
Updated : 2024-09-27 13:25
NVD link : CVE-2024-6386
Mitre link : CVE-2024-6386
CVE.ORG link : CVE-2024-6386
JSON object : View
Products Affected
wpml
- wpml